September 8th, 2022
Why does diversity in cybersecurity matter?
There is a lack of diversity in cybersecurity—a problem that is frequently discussed but insufficiently addressed. In this post, we’re going to look at the importance of diversity in cybersecurity, both from a business and a security standpoint, and suggest some practical steps companies can take to make things better.
Diversity in cybersecurity by the numbers
The lack of diversity in cybersecurity, and in tech generally, is so well known that it hardly bears repeating. As such, we won’t spend a lot of time on the background to the problem. But it’s worth offering a few statistics at the outset to ground the discussion:
Recent statistics reveal ongoing minority underrepresentation in cybersecurity as well, with 9% of the U.S. security workers self-identifying as Black or African American and just 4% as Hispanic.
There are, of course, many other kinds of diversity that could be discussed here. But for the purposes of brevity, we’ll leave it at that. The takeaway, to put the matter a little crudely, is that cybersecurity in western countries is still overwhelmingly white and male. And that needs to change for a number of reasons.
Why diversity matters for cybersecurity
We’re going to go out on a limb here and assume that nearly everyone reading this will understand and sympathize with the ethical case for diversity in cybersecurity. It’s a matter of basic fairness and inclusion: a societal and moral good in and of itself.
Rather than rehash those arguments, let’s look at several other reasons that companies should work towards diversity in cybersecurity:
It leads to better cybersecurity. To begin with, studies show that diverse teams perform better than homogeneous ones in general. But beyond this, there are cybersecurity-specific challenges that make diversity hugely beneficial. Many security tasks require the ability to adopt a broad outlook; to consider every possibility. Examples include threat modeling, anticipating an adversary’s tactics, predicting end user behavior, and so forth. Now ask yourself which security team will be able to do those things better. The one where everyone has the exact same background? Or the one that’s drawing on diverse experiences and perspectives?
It stops raw talent from going to waste. There are individuals who have a natural aptitude for certain kinds of work. Cybersecurity is no exception. We’ve probably all met one of these gifted problem solvers: that rare person who seems like they were born to hack! But when there’s a lack of diversity in an industry, many of these talented people never get the chance to realize their potential. That’s sad on a human level, of course, but in a world where nation states and cybercriminals are stepping up their attacks every year, it’s an enterprise and national security issue as well.
It has business benefits for companiesseekinginvestment. Environmental, social, and corporate governance (ESG) is becoming increasingly important in the investment world, with ESG assets predicted to reach $50 trillion by 2025. For publicly traded companies, ESG reporting is taken very seriously already, with diversity and inclusion being an important part of that. Listed cybersecurity companies aren’t all that common yet, but there are many firms in the industry that want to join their ranks, and nearly all of these are seeking venture capital funding: the next great frontier in ESG investing according to some observers. For cybersecurity companies looking for investors, building a diverse team isn’t just the right thing to do—it’s good business too.
It solves a fundamental problem in the industry. It’s notoriously hard to fill open cybersecurity positions: a challenge that has serious implications for organizational security. By helping people from underrepresented groups enter the field, companies can begin to address the issue in a direct way.
How cybersecurity firms can do better
The problem of diversity in cybersecurity is a large-scale issue. But individual companies can take steps to make a difference:
Broaden the application pool
A person from an underrepresented group already has a steep hill to climb if they want to break into cybersecurity. Unfortunately, companies often have HR practices that make it even harder, turning cybersecurity into a members-only club. It is also important for organizations to look at people that have self-educated and do not necessarily have a college degree.
Aspiring cybersecurity professionals, for example, show massive initiative through self-learning and earning basic certifications on their own—only to run into “entry-level” job postings that ask for years of experience and a CISSP.
If a company is serious about diversity, it has to be willing to hire people who aren’t already working in the industry. This means hiring people who have potential (and meet the basic requirements of the job), and then providing training, coaching, and mentorship as needed.
Build an equitable hiring process
In order to increase diversity, companies need to examine their hiring process to make sure it supports this goal instead of working against it.
In cybersecurity, and in tech generally, there is a problem with unconscious bias in the recruitment, interview, and hiring process. It’s important to ensure that all resumes are considered fairly, and that interviews are conducted and assessed objectively.
Companies might also need to reconsider a few mainstays of the tech interview. For example, in many cases culture fit questions lead to interviewers simply hiring people who remind them of themselves—probably not the best strategy if you’re trying to increase diversity!
Obviously, it’s hard to see your own blind spots. But making a commitment to fair hiring is a good first step. There are also lots of helpful resources available to companies that want to do better.
Support groups working for diversity in cybersecurity
There are organizations in cybersecurity that work to bring people from underrepresented groups into the field. Getting involved with one of these groups is an excellent way for companies to improve diversity in cybersecurity directly, while at the same time building a professional network that can help them diversify their own teams.
There are many formal organizations that offer training, mentorship, and support to their members. Here are some good ones that we know of:
Cyversity (formerly the International Consortium of Minority Cybersecurity Professionals)
There are also special initiatives like the Mock Interview and Resume Review (MIRR) workshop, a program that helps people from marginalized communities write attention-grabbing resumes and prepare for technical job interviews. Executive and management-level volunteers from cybersecurity companies work with MIRR to provide feedback and guidance to the participants.
To show concrete support for diversity in cybersecurity, companies can reach out to one of these organizations and volunteer time, expertise, or training.
How LimaCharlie is helping
At LimaCharlie, we want to democratize access to cybersecurity.
We also try to help people who aren’t currently working in the industry prepare themselves for a career in cybersecurity. To this end, we’ve created LimaCharlie Academy, a self-guided learning portal that uses the LimaCharlie platform to teach cybersecurity fundamentals.
And for the next month, LimaCharlie will be donating $25 for every demo booked to The Diana Initiative: a conference committed to helping all those underrepresented in Information Security. You can sign up for a demo at the following link: Book A Demo